Home

 

And they (SAP) ‘promised’ not to directly pursue ……

duck hunt

SAP spokes persons and account managers were very quick to mention to the world that, now they won the Diageo court case, they wouldn’t directly start harvesting the new situation on indirect access. And in effect that’s a bit true. They now seem to aim at the big treasure chests that are out there. AB InBev is tenfold Diageo and what will be the next big fish? I guess the people at SAP are no real beer drinkers. And with these amounts champagne looks more fitting.

So when you’re a very large SAP client you’re certainly at risk. Because with these amounts it isn’t interesting for SAP to put a lot of effort in the smaller organizations.

It is clear that SAP has been preparing itself the last few years for this offense and picks the cherries and the easy kills. However, there’s still time to scan and divert all ther risks that come with SAP software (and others not to forget).

SAP wants to be the new Oracle as it seems. Who cares if you’re not favorite when you can be prince John and the sheriff of Nottingham and ‘tax your clients like a lemon juicer’. CA was one of the first to do this, the others, like IBM and Oracle followed.

And what’s the alternative? going from SAP to Oracle or IBM. That’s changing lanes on the same highway with identical rules. There are plenty of alternatives. All a lot smaller and all wanting to be the Oracles, SAP’s and IBM’s of the future. So, get smart. Negotiate how software can be sold to your company and put that in your own contract when you buy this software.

But for now: make sure that you’re not in the risk zone. Harness yourself against any audit (ask me for our audit defence products that will help you on that). Assess your risks and minimize them while you’re still in a negotiation position. You’ll have to decide if you’re going to be a sitting duck or not.

You’ve got a serious data issue, and might not know about it.

I was at a NextSales meeting with a company that has a solution for anonymizing and pseudonymizing data. And I must say I was happy to be there. As it turns out they have a solid solution for one of the biggest problems in the IT&SAM field: anonymization of user, personal, commercial or other European GDPR (General Data Protection Regulation)related data.

As software audits are still more and more executed I need to inform more and more organizations about the risk of delivering data to the auditor at his request. Because of the fact that delivering this data can be seen as a data breach or leak, your company is not only at risk for a license incompliance fee, but also for a fine that can amount to astonishing numbers (4% of the annual turnover).

Is this solution absolute fail proof? They honestly answered no. And that’s correct because if anyone wants to deliberately crack the safe, he or she will find a way. It is, however, one of the safest (and quickest) ways to do this I’ve seen up till now.

So, there’s a way to get an agreement with the auditor for handing over data that was up till now not done with regards to local and European laws and regulations. And it still might be a risk due to your local laws. But it’s at least a way to breach an impasse.

Next topic would be the cost of this anonymization: should you or the auditor/publisher pay for this service? Well there’s a discussion that could go either way.

The other very interesting knowledge I gathered during this meeting was that in fact it is forbidden by law to copy your operational user data and use this in your test environment (unless you build a DTA environment according the same security, authorization and risk rules as your production environment, which is seldom seen because of the enormous costs involved with that). This solution makes it possible to still make use of that data without the former costs and risks.

Come to think about it; this also is valid for HR data, commercial data and security data. Although the GDPR is effective as from May 2018 you’d better be prepared for it as soon as possible.

For more information on this topic just contact me or my colleagues at In2SAM and we will help you cover this risk!

Nico Blokland
IT&SAM expert, evangelist
COO at In2SAM BV

ISO 19770 as quality insurance

As more and more organizations are working with SAM solutions, the question is how to keep up the quality level as high as achieved at the end of the SAM implementation project. And this is a valid question. I see that at the end of these projects organizations lean back, and sigh in relief that they finally made it. They inventoried and improved their different data sources and were finally able to build a reliable compliance reporting.

However, most organizations are constantly changing, and thus information is changing. If you don’t have a process to check or validate your data and processes periodically, the situation from before the SAM implementation project lurks to enter swiftly.

To avoid such, you should implement a solution according to the ISO19770 standard, and validate the data periodically. It not only urges you to have the best possible process, but it also pushes you to validate the accuracy of your source information repeatedly.

The new and upcoming ISO 19770-1:Edition 3 provide you the tools to do so. And why not certify on that, while you’re at it. Is it an expensive solution? I’m sure that just waiting for the next audit result is way more expensive. Make it a part of your internal audit scheme and prepare for the future with a clear mind on your IT & Software assets.

At In2SAM we’re constantly working on the improvement of SAM and the ISO 19770 standard. If you want to know how that would work in your organization, don’t hesitate to contact me or my colleagues.

 

Nico Blokland

IT&SAM evangelist,

COO at In2SAM,

Dutch delegate a the ISO(19770) Workgroup 21

The legal function in Software Asset Management.

Last week I received an email with a letter attached, inviting us to use the Progress Software Asset Management service. In the attached letter, Progress explained that using this service would be of great advantage for the organisation I work in. It would reduce the cost of licenses a lot. At the end of the letter Progress stated to provide them all information about our Progress environment, such as: architecture, server names, the Progress products installed on them, and deliver this information before March 10th, 2017. While reading letters like these, I – as Software Asset Manager – always doubt about the friendly intentions of the vendor. So I decided to go to a legal guy and have them read the email and letter too. After explaining he also agreed that the email and letter were not as friendly as they looked.

In drafting an answer to such an email and letter the legal function in an organisation plays a big role.

In general, the role of the corporate lawyer in the organization is to monitor the company’s interests on legal aspects. It’s all about mitigating the risks the company is being at, in entering into purchasing contracts, such as licensing contracts.

In a nutshell, when it’s about a license or purchasing agreement the lawyer must assess the contracts on terms and conditions for delivery and on terms of use of the software purchase. This implies:

  • proposing better contractual terms and conditions and, together with procurement, negotiate them with the vendor, and
  • drawing up standard contracts for the company.

Normally, the corporate lawyer has no knowledge about the licensing models and their application. Having knowledge –  and keeping (!) it up to date – of  the license models that the manufacturer applies for the offered software, and the technical aspects of the software is not common for a regular corporate lawyer.  The average corporate lawyer will not be able to oversee the implications of a licensing model (entirely). Of course legal knowledge and experience, combined with knowledge of technology and software asset management is the best situation.

As stated above, it is of great importance to embed the role of the company lawyer in a standardized way in the SAM-processes. Indeed, if this does not happen, people simply forget to involve the corporate lawyer in cases as mentioned above, and then made major mistakes are made when entering into (software) contracts. This eventually leads to financial consequences for the organization. The role of the corporate lawyer is – besides those of procurement and software asset manager – vital.

 

 

Maarten Karnekamp

CEO In2SAM

SAM and HR

In a previous blog about SAM processes I mentioned the Human Resources department (HR) as a major participant. Last week I met an HR Manager of a midsize company. Among other topics we talked about my statements regarding the role of HR in SAM processes. She appears to have a good relationship with the IT department (IT). They communicate regularly and, thanks to her input, the software licenses are managed well. In terms of legislation and training there are gaps. Risks that they did not expect.

First about the processes, they are running smoothly. She reports new employees, ‘joiners’, to IT, two weeks before they start. IT prepares a desktop or laptop with all the applications that are standard for the joiner’s function. Employees can request additional software at IT. Their manager approves the request. HR is informed.

For employees who leave the company, ‘leavers’, the procedure is similar. No later than the day after the leaver has handed over his stuff his accounts and email are blocked. Attention is paid to disable Salesforce accounts. If this is not done, the employee, who is already working for another firm, still have access to company critical data.

The licenses of the returned software are released for reuse, in compliance with the rules of the supplier (eg. 90 days at Microsoft).

This company apparently ensures that all employees have the software they need. But what if an employee installs pirated software on his laptop anyway? Is he able to do that in the first place, does he have the credentials? Are laptops checked regularly? Is the company aware of the risks in this area? The response from our HR manager is clear: users have administrator rights, we hardly check and personally I never realized that this would be a risk.

In August 2016, the court ruled in a lawsuit that was prosecuted by Siemens against a customer. * The employer provided a laptop to an external employee. The employee installed and used Siemens software illegally. The employer was not aware of this and finds that he could not prevent it. The court ruled otherwise. The employer had to pay more than € 13,000 to Siemens for missed license and maintenance fees, on top of that the full costs of the proceedings, being more than € 9,000.

This is a recent example, and so there are many more. The company of our HR Manager admittedly does not use Siemens software, but the risk is not any less. A pirated version of an Adobe product is simply downloaded and installed. And they do use Adobe software!

The employer is liable, but what can he do? It starts with a clear statement in the employment or assignment contract that installing and using illegal software is strictly prohibited. Compliance with this prohibition should then be monitored and sanctions must be in violation. Training regarding ethics, compliance, and the like can be used to re-emphasize the impact of this issue.

Fortunately, the HR manager has a good relationship with IT. They will solve this together, with – in this case – HR in the lead!

Hans van der Zanden
Co-founder and CFO of In2SAM BV, The Netherlands
Process guru for 25 years
Expert added to ISO Workgroup 21, co-editor of additions to ISO 19770

* See for a detailed explanation the column by Maarten Menger (Dutch), http://www.mkbservicedesk.nl/10676/ben-aansprakelijk-voor-illegale-software.htm#

The verdict can be found at https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBROT:2016:6240

Being a hybride client

It’s getting more and more common these days. An organization that makes use of Saas software of a particular vendor next to subscription and perpetual licenses from tht same vendor.

As we’ve seen in the past the registration of the perpetual and subscription licenses were already quite some burden for the publishers and the vendors. Left alone the licenses sold via the hardware partner or OEM channels! Although the publishers had to improve their administration to the need of proof during their ongoing years of auditing it’s still not uncommon that if you request for your position at some vendor a few times during a year you’ll get different positions every time (and not because you bought new licenses during that time).

And now we’re adding a new channel to all of that: we’re going to make use of licenses in a cloud or service based environment. This is another layered registration the vendor or publisher has to maintain. Not to mention the fact that the vendor now has to distinguish if the accountabillity for the usage of such a license is at the service provider or the end user (organization) relying on the historical lack of precision in the perpetual and subscription administration of the vendors/publishers.

Also I’m very curious how all of this is incorporated in one contract with a software publisher as metrics are various and also applicable laws and legislation differ from country to country.

I would advise to make sure that, as a hybrid user, you ensure you have an effective administration of your own!

A discovery system that is able to measure utilization of SaaS/cloud software via the browser is a necessity fo that. Next a Software asset Management tool with the latest license models and publishers metrics encorporated makes life easier.

When using this in optimum forma you’ll see that those Pay for Use contracts actually aren’t. Especially when you can subscribe per month, but unsubscribe only per Year (f.i. Microsoft) while the highest number of subscriptions will count for that year

At In2SAM we help you with all IT&SAM related topics. We always do that from a client perspective and we treasure our independent status towards the software publishers.

Nico Blokland

IT&SAM evangelist and specialist

ISO19770 on the route to maturity and acceptance

Although ISO19770 (IT asset management) is a relative young standard, it has been there since the SAM market started to be lively at the midst of the zeroes of the new millennium.

Since a few years, I’m the delegated member of the Dutch National standards Body at the WG21-{WG21 is Workgroup 21 under SubCommission 7 of the Joint Technical Committee 1 of the International Standards Organization}. And I was already connected to the very first beginnings when it was still in the Microsoft SOM development tank. So why isn’t this standard yet globally accepted? It might be that it wasn’t comprehensive enough (till now), and maybe it cannot be in a little while without the proper support. However, the current developments on the standard are impressive and all with focus on the regulation and standardization of the IT- and most specific: the Software assets.

On the question I asked in almost every conversation I had about SAM, with various peers – clients and prospects, if ISO19770 would be the standard for them if it became certifiable, I almost always got a solid yes. So, that is what we proposed to the WG21 meeting in Berlin: make 19770 certifiable. Not every part ( Dash-2 SW-ID tags, Dash-3 Entitlement tags) is yet ready for that, but that might change in the future.

So I started out building requirements and boundaries for the ISO19770-1: Edition3. As this must be a global accepted standard there’s an initial group of countries that promised to support me in getting the certifying framework ready. If you’re interested in getting involved in this, please contact your local representative or national standards body.

Does this mean that every organization that states to be ISO19770 compliant or certified, in fact is not? Unless it’s done by an accreditation body: yes, that does it mean. And even, if an organization is certified correctly, the value of the certificate is doubtful. You probably have read somewhere that the current standard is too vague to set clear requirements. This doesn’t mean that you might not be thoroughly assessed on the standard. It means that you’ve not been assessed according a global accepted set of requirements of the ISO19770 standard. Which makes it a subjective assessment.

A colleague WG21 member from the UK has started also some New Work in Progress on ISO19770; the Dash-8. This will plot the standard to global best practices like ITIL, Cobit, Microsoft’s SOM, etc.

So, if we all put our effort into making ISO19770 the real standard for the whole SAM industry, i.e. the end users, the SAM tooling vendors, the software publishers and the auditors, we will also accomplish mutual acceptance between users and publishers.

As said, I’m looking for organizations that will help us making ISO19770 certifiable and become the first ones certified. I already have some requests from SAM tool vendors to become 19770 certified as they want to be certain that they report on compliance and other business rules, according to the global standard.

As we’re now looking for the local accreditation organizations to support the certification of persons on ISO19770, I would welcome the info on your local representative for that.

It’s a busy time for the ISO19770 family now. There are 4 (four!) documents up for global ballot. Among them is the brand new ISO19770-1:Edition 3. This is a modernized and more market synchronized standard. There are there still tiers (reduced to 3 and changed quite extensively), but not as the central framework. They are mentioned in the annex of the document, just meant as guidance. the ISO19770-4 and -8 are exciting new additions to the family. As aid the -8 will plot all best practices against ISO19770. The -4 is all about Resource Utilization Metering (RUM) and will bring another standard to our growing 19770 family. The fourth ballot is on technical changes to the -2 standard.

You see there’s a lot going on at the WG21 and we need you, SAM experts not already involved, as our conscience and sparring group to get ISO19770 ever improving. If you’re based in the Netherlands, you can contact me for this. When you’re based anywhere else in the world you can contact me or your local representative to discuss current and future ISO19770 matters.

There’s much more to tell about every single standard and how they’re connected to the more known standards like 20000, 27000 and 55000. You can also read the next post(s) of my colleague Hans van der Zanden giving more in-depth information on this topic. In the meantime, I hope you got some interest in this standard and want to know more. Don’t hesitate to contact me or my colleagues at  in2SAM.

Nico Blokland

COO In2SAM, IT&SAM evangelist and specialist

SAM Processes and ISO

 

In the previous blogs in this series I described my favorite SAM Process model and organizational units that are involved. ISO 19770 is the standard that should support organizations to prove that their processes comply to globally accepted recommendations. Unfortunately, certification is not yet possible (see also ‘Although ISO 19770’ by my colleague Nico Blokland). Preparing for future certification by implementing designated processes, however, will always pay off, even without certification. Which processes are we talking about?

ISO 19770-1

The ISO 19770 family include standards for software, software suppliers, etc. Standards are distinguished by ‘dashes’. -4 (‘dash 4’), for instance, is all about Resource Utilization Metering. -1 is the standard for organizations that want to improve their maturity and to prove their compliance.

The first edition of ISO 19770-1 was published in 2006. It provides a comprehensive process framework, consisting of 27 processes

19770-1-versie-1-diagram

You won’t be surprised that this model proved to be too comprehensive for most organizations. Therefore edition 2 was established in 2012. Four tiers provide an approach for a phased implementation of the processes and for staged improvement of SAM maturity:

  • Tier 1 – Trustworthy data
  • Tier 2 – Practical management
  • Tier 3 – Operational
  • Tier 4 – Full ISO/IEC SAM conformance

Again, however, it’s no success story. Especially the intertwining between the tiers and the process framework makes it complex. Edition 2 was promised to be accessible and assessable but neither became true. There is good news, however. ISO19770-1:Edition 3 is up for global ballot. I expect that it will be adopted in May 2017. Which are the main differences and will they work out this time?

 

A striking difference is the simplification of the process framework, including a clear relationship with three tiers:

  • Tier 1 – Trustworthy Data
  • Tier 2 – Lifecycle Integration
  • Tier 3 – Optimization

I will show the picture and discuss the model after publication in May.

The accessibility has been substantially improved, the assessability not yet. Our challenge is to make this edition assessable and certifiable in the short term. I’ll keep you informed.

For the time being we apply our In2SAM process model (Figure 2), which I explained in my previous blogs.

sam-process-model

This model is fully compliant with the ISO19770 standard. If implemented in a smart way it guarantees a solid return on investment and future certification.

Of course, this raises questions of what I mean with ‘a smart way’ to implement processes. The implementation approach will be the topic of my next blog. I hope to have you interested there again.

 

Hans van der Zanden
Co-founder and CFO of In2SAM BV, The Netherlands
Process guru for 25 years
Expert added to ISO Workgroup 21, co-editor of additions to ISO 19770

SAM Processes and Organization part II

After reading my previous blog in this series, for the observant reader the conclusion will be that managing software compliance requires a combination of SAM-tooling and processes, and not only the processes that are supported directly by the tooling. I introduced my favorite SAM process model and the SAM Core processes. In this subsequent blog, I’ll give an impression of the organizational units involved in SAM processes.

Processes and Organization

Software Asset Management is a concern for the whole organization. The greater part is involved passively. They need to be informed about relevant SAM policies, and must act accordingly. Only a number of employees are actively engaged in SAM processes. Depending on the organization’s maturity level some of them may have dedicated SAM roles, whether or not in a SAM organizational unit. Related processes and units, e.g. IT, Procurement and Finance are also involved in SAM processes. It is not possible to design ‘the standard organization model’, according to which SAM roles and responsibilities must be assigned.

sam-process-modelhz-blog-2-2

[Figure 1 – SAM Process Model]                                                              [Figure 2 – Sample Organization Model ]

Figure 2 shows a simplified organization model that I will use below to discuss some aspects that must be considered when implementing SAM processes in the organization.

Accountability and mandate

Software Asset Management requires a substantial investment, to realize a much bigger profit by cost savings and risk reduction. The amounts of money that we are talking about justify attention and commitment at Board level.

In fact, the CEO is accountable for the organization’s compliance. Probably he will delegate the accountability for software compliance to someone in the organization. Let’s call him the ‘SAM Executive Sponsor’. This person must be willing to spend money in SAM and must be able to make decisions, for example in case of escalations. Ideally, the SAM Executive Sponsor will be at Board level, e.g. the CFO. At this level, it is possible to provide strategic guidance to projects and processes.

The second role, which must have at least the mandate of the senior management, is the SAM Process Owner (PO). He is responsible for designing the SAM processes and tool selection, and implementing and monitoring the processes. This could be an employee at enterprise staff level, e.g. in the ‘Compliance Office’ (see Figure 2).

Besides these two roles there is the SAM Manager. He is the one who operationally manages the SAM processes.

Until recently, however, and for many organizations even still, the management of software is not a priority. Software is considered to be an IT issue and as long as unexpected excessive costs do not trigger the CFO, no initiatives will be taken at senior management level. Consequently, in most organizations SAM roles can be found in the IT department, mostly the SAM PO and the SAM Manager even combined in one person. Because SAM processes depend on processes outside IT (Finance, HR, etc.) this person might lack mandate to have them adapt their processes.

Central vs. decentralized

Since compliance, and consequently audits by vendors, is a corporate issue, the main SAM processes must be centralized. If operational activities must be executed decentralized care must be taken to tune the processes and manage the data.

ISO 19770-1 distinguishes between a central and local Process Owner. In our opinion local POs are always subject to corporate coordination.

Related organizational units

When implementing Software Asset Management, it is important to determine your stakeholders. Especially stakeholders in other organizational units than the one you’re running your SAM implementation project from. Stakeholders will have the most influence on control over your SAM project because it is their action or inaction that determines the success or failure. So, it’s crucial to enlist their support or determine the risk when they treat the SAM project as a threat to their KPIs making them oppose to the project.

The IT department is the most important stakeholder for the SAM Team, probably the team is even part of IT. Many IT employees are dealing with applications in all stages of their lifecycle, thus being involved in SAM processes, which are closely related to the ITIL processes. The SAM Team receives data about the status and usage of software. At the other hand the SAM Team is involved in decisions about purchasing, designing and deploying software.

In Figure 2 I pictured the RSCQ roles (Risk, Security, Compliance and Quality) together as an organizational unit. However, in reality these roles will be positioned differently. Sometimes they operate at corporate level but it’s also possible at departmental level (and thus only for a part of the organization).

Whilst aiming for mitigating organizational risks, compliance to organizational security or QA standards, all these processes also relate strongly to being compliant to license agreements and – therefore – interact directly to SAM policies and the SAM organization.

Finance is the unit that’s keeping track of all financial transactions within the organization. Non-compliance of software licensing translates in lost Dollars/Euros in terms of fines, buying lacking licenses and loss of revenue and market share due to negative publicity. While the SAM project initially needs financial funding, the project will lead to a return of investment which can be significant higher than the losses.

In a large organization, you may encounter different currencies and different (national) tax systems.

Charging of software costs, if applicable, e.g. to business units or regions, will be processed by the Finance department, based upon data from the SAM Team.

For your SAM project, you may have to deal with the Chief Financial Officer directly as one of the key stakeholders.

Procurement is the unit that needs to ensure that the purchasing processes for company-approved purchases are done in an orderly fashion and that purchases are made at the most favourable price.  Their support and cooperation are required for reconciliation of purchase orders and invoices with software licenses to determine the extent of non-compliance.

In organizations that have a dedicated contract management function the SAM organization must be designed to work closely with contract managers since software agreements are contracts themselves. Processes for software acquisition can benefit from the knowledge and experience of skilled contract managers, primarily in the negotiation of terms and conditions. Be aware that in large geographically spread organizations the content of contracts for – apparently – the same software may differ. Also, processes for software acquisition may differ due to cultural aspects.

The potential for software license non-compliancy and the need for ongoing legal review of software agreements and maintenance contracts lead to significant need for services from the Legal department of the organization. Almost every time that negotiations about contractual terms and conditions are going on the legal department will be involved.

The Human Resources Department (HR), provides information about employees, e.g. numbers and new and departing employees.

Key for the success of the SAM organization is that policies regarding software compliancy are acknowledged and adhered to by all employees. This is also a key goal for the HR Department. They must ensure that all employees are properly educated in these organizational policies with the associated responsibility for addressing employee counselling when policy violations occur. Any remedies for policy violations (sanctions!), especially if it involves a permanent record in personnel files or even termination of the work contract between the organization and the employee, must be coordinated with HR.

Conclusion

There is no standard recipe for positioning a SAM Team in an organization. It is obvious, however, that the SAM Team interfaces with many organizational units, including their processes. These interfaces are two-way. They provide data but also benefit from the information and expertise of the SAM Team. The SAM project will have to schedule activities explicitly to involve all related units.

 

Hans van der Zanden

Co-founder and CFO of In2SAM BV, The Netherlands
Process guru for 25 years
Expert added to ISO Workgroup 21, co-editor of additions to ISO 19770

 

Legal Affairs in Software Asset Management

legal

Yesterday I had a meeting with a member of the Legal Department in our organization to discuss a number of issues in a (purchase) contract software. It struck me that the colleague had a good eye for all legal snags in the contracts when it comes to penalty clauses.

In general, within a legal department it is all about mitigating contractual risks in contracts in HR or buildingcontracts. However, when it comes to the legal consequences of accepting EULAs and licensing models, then understanding this department is less.

In this case the software manufacturer proposed contractual provisions with a penalty because the manufacturer would deliver the software without any technical protection mechanisms. The manufacturer normally delivers the software with a dongle. However, the infrastructure of the organization is fully virtualized, and a (hardware) dongle does not apply and therefore not accepted.

For the sake of protection of intellectual property the manufacturer therefore proposed to include penalty clauses in the license agreement. In itself this is understandable, but if the determination is not limited, and also applies when the software is installed by a 3rd party deviant to the license model , the customer would also have to pay fines.

In addition, an audit clause and the requirement that the software should never be transferred to another party was discussed in the meeting. The latter is in contrast to the decision of the European Court in the UsedSoft vs. Oracle case. The department was unfamiliar with the ruling. Also, the possibility of using an audit protocol and a NDA in audits was not thought of.

All of the above makes it clear once again how necessary it is to involve the legal department of the organization when implementing software asset management and to make them fully aware of the different clauses regarding the use of licenses and license audits.